DHS CINA COE, George Mason University
CINA Mentor: Isaac Gang
Faculty PI: Boyan Kostadinov, City Tech
Joseph Liu, Julio Rayme, City Tech
8/11/2022
On February 27, 2022, just 3 days after Russia invaded Ukraine, an Ukrainian “cybersecurity researcher” angered by Russia’s invasion of his country, published a cache of chat logs with conversations between members of the notorious Russian-speaking ransomware group Conti.
The original JSON files in Russian can be found here:
A complete English translation of the Conti chat logs is also provided by Northwave Security, but it contains both English and Russian text and it is more difficult to work with.
Bill Demirkapi, a computing security major at Rochester Institute of Technology, shared on Twitter a version of the Conti chat logs translated into English, which we used:
Sure: https://t.co/6YAd7axF3L
— Bill Demirkapi (@BillDemirkapi) February 28, 2022
The Conti data contains messages allegedly taken from a Jabber server that Conti used for instant messaging.
The leak contained 393 JSON files, each having 4 variables:
date: date the message was sentfrom: user who sent the messageto: user who received the messagebody: the text of the messagewith 60,800 messages sent between 1/29/2021 and 2/27/2022.
We discovered that the 393 JSON files were not properly formatted and as a result of that we could not parse them. We found an online tool Jsonrepair that we used to repair the files.
Then, we were able to parse the JSON files, and we wrote a function to merged their content into a single dataframe.
We extracted the date (ymd) from the ts variable, and separated the user names from the onion emails in the data for both from and to variables, thus creating a dataframe with 4 variables and 60,800 observations.
The number of unique users who sent messages is 267 and the full list is given below:
There are 71 users in the set difference \(\text{to} - \text{from}\), who received messages but never sent any messages. The number of unique users who sent messages is 335 and the full list is given below:
Alabama July 2019, The SpringHill Healthcare Center was struggling with a ransomware attack, heart rate monitors failed, fatally a newborn died. The first “death by ransomware”
AIDS: 1989, trojan, floppy disk, $189, US.
CryptoLocker: 2013, trojan, 0.5 BTC, $3 mill.
CryptoWall: 2014 $500 worth BTC.
SimpleLocker: 2014, android devices.
TeslaCrypt: 2015, trojan, $500 worth BTC.
Petya: 2016, $300 worth BTC.
Locky: 2016, email, doc file, 0.5-1 BTC.
Jigsaw: 2016.
WannaCry: 2017, worm, $300-$600, hundred of billions in damages, NK.
Bad Rabbit: 2017.
Cerber: 2016, phishing, $2.3 mill. don’t attack ex USSR countries.
Riuk: 2018, phishing, sophisticated.
Conti: 2020.
variant of ransomware
gain initial access to network through emails that contain malicious attachments or links
severe threat to and damage the system, namely by encrypting data on the victim’s computer
spreads to other computers on the same computer network
Most prolific and costliest transnational ransomware group
The FBI estimates that as of January 2022, remain active and reported attacks against U.S. and international organizations
Payouts exceeding $150,000,000
Source: NJCCIC
Most Sundays appeared to be days off, except for two Sundays. The biggest Sunday spike in activity took place on 12/12/2021 when 400 messages were sent. This correlates with the Conti ransomware attack on Shutterfly, which later disclosed that Conti deployed the ransomware on December 13th, 2021.
Almost 300 messages were sent on Sunday 01/23/22. The day after, On 01/24/22, a warning was released about a possible cyberattack on the U.S. from Russia, in the case that the U.S. interferes in their invasion of Ukraine. Reference
| minimum | q1 | median | mean | q3 | maximum |
|---|---|---|---|---|---|
| 1 | 38 | 117 | 155 | 208 | 1289 |
| minimum | q1 | median | mean | q3 | maximum |
|---|---|---|---|---|---|
| 1 | 20 | 66 | 76 | 120 | 269 |
There are 15,415 encrypted messages, which is about 25% of all messages.
March 19th 2021
The Acer ransom, the highest ransom ever was claimed by REvil! On March 18 2021, a REvil affiliate claimed on their data leak site that they had downloaded data from Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A $50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to $100 million if not paid by 28 March 2021. Remember that on March 19, 2021, Conti had the highest volume of encrypted messages, 269 encrypted messages were sent on that day! Reference
March 23-27, 2021
Conti had high volume of encrypted messages between March 23 and March 26 (around 300 encrypted messages). On March 27, 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.
June 9-11, 2021
On June 9, 2021, Conti had the second highest volume of encrypted messages, 229 encrypted messages were sent on that day. Chicago-based solar and wind developer Invenergy said that it has been hacked, following a recent trend in energy-data security breaches. Russia-linked hackers REvil claimed involvement in the breach. The attack was reported June 11 and is the latest in a series of hacks claimed on REvil’s dark web site, including recent attacks on Quanta, a Taiwanese supplier of Apple, and JBS, an industrial meatpacker. Reference
from-to pairs with the most encrypted messagesBefore being processed, the large majority of email addresses in this data set ended in the .onion extension. Such emails are hard to track.
However, there are 8 emails users who had email addresses ending in different extensions.
| minimum | q1 | median | mean | q3 | maximum |
|---|---|---|---|---|---|
| 1 | 2 | 4 | 9.29 | 8 | 924 |
Companies like Chainanalysis have been identifying wallets that are linked to criminal activity, such as Darknet transactions. Chainalysis’s most famous work was helping the FBI identify two rogue agents that had been stealing Bitcoins from the wallet of an online drug market operator.
Another company working on blockchain analysis software is California startup Ciphertrace. They have even gone as far as infecting their own systems with ransomware to track the coins that are used to decrypt the machines.
The first time we saw this video in early June, it had 21 views only, but now the number is 425. The video was sent from many to revers on October 1, 2021. Google can filter the IP addresses of all people who viewed this video on that day.
Text from the article below:
was sent to stern by mango on July 16, just 2 days after it was published online. Conti probably follows:
flowchart TD A[CEO: Stern] --> F(COO: Mango) A[CEO: Stern] --> B(HR: Salamandra) A[CEO: Stern] --> C(Blog: Bio) A[CEO: Stern] --> D(BuildMachine: Bentley) A[CEO: Stern] --> E(Encoded Comms: Defender) A[CEO: Stern] --> G(Revers Eng: Revers)
Stern:
Mango:
Salamandra:
Bio:
mango->stern: Alka found contacts through relatives. My guys have excellent contact with the Russian diaspora in Brooklyn, we have our own chief judge there, what is the chairman of the court here - she immediately gave us her lawyer who is moving with her. All states have their own laws and, accordingly, lawyers. This one is specifically from Florida, he is local there, he seems to know everyone. At 5 in the morning he was blown up) all the data was given to him, he is already engaged. I told them this: we need to clarify the situation with all the latest news, find out who her lawyer is and what claims go to her, and so on, in general, for now, intelligence will try to get all the official papers that we have, and we will continue to think. We will try to make a victim out of her, got a job on the Internet, what she did and with whom she worked, she didn’t know, if the guys don’t let us down, we’ll pull her out or get the minimum possible. I’ll keep you informed.
mango->stern: Alka is transported from Florida to Ohai, she has a state lawyer because she doesn’t have money for her, as I understand it. We can get documents if our lawyer concludes an agreement with her for defense and will represent her. In order for him to start acting, you need to charge him 10k. And we need to think about how it is safe for him to send them to the US .. How and what’s next for now xs, everything is suspended there. Waiting for an answer.
mango->stern: look at the Alka what the hell.. she’s not an immigrant, she has all the relatives there, citizenship, and so on. there are 50 cases on it - episodes according to ours. passes like a Russian hacker, the case will most likely be political.
mango->stern: the couple with Alka lost a little, she’s not fucking young, she’s 55 years old))))) by Wednesday I’ll try to find an option how to send money to a lawyer, he began to rustle slowly, establishing contacts with her relatives for now. 55 may even be good, it will be easier to build a victim of circumstances ..
mango->stern: According to the professional - I spoke with him, he said that you yourself decide everything there and tell me what to do, as a result, there was no information from you or from him .. Bro, if possible, please pay a little more attention - I try to work on all your Wishlist, and you read everything through the line. and you ended up talking to him about the blockchain. I understand that the social network will be on the blockchain, but the development of the social network also needs coders - here he has them. As for the part of the blockchain, we will look for other people for this .. so, in the end, you didn’t talk to him for that at all, well, or I don’t understand something correctly in the tasks that you set Ebash here day and night on all fronts what you put, I want you to be happy with everything there, I constantly show some kind of initiative, and in the end you answer once a day at best .. And about the fact that he pulled up someone close - well, yes, he pulled it up, through his brother he found the right people to solve your problem. Nobody can do that to you online. And offline, I don’t think that you will find the same frostbitten guys who will agree to risk a normal white company with a good turnover and reputation, and even more than one in the end. I didn’t find it, and no one else would have found it, it’s not for you to buy coke on a hydra, there the private security service works like in the white house. It was just a fucking difficult task, and in the end we put the squeeze on it, bought it. I also promised the guys on my own behalf heifers and a sauna, because it really was, well, not very easy. The same goes for Alka - you set the task of solving her problem. I go out of my way to solve this, since I have good opportunities in this area - but again, this is all offline, through a trusted person in whom I am 100% sure. I perfectly understand that this is at least a thread to me. And I also understand my personal risks. But I do your request as for myself. In general, I try to solve all these very extravagant quests of yours. I worry about the results of the whole team as if they were my own. I get upset when negativity flies at the trick and I try to fix it all, fix it and finalize it .. I save your money like my own, I demand reports from everyone, I bargain with everything, I collect sanctions if there are such people for someone .. Everything is always clear on all financial issues and several times I unsubscribe to you what was spent where and how much, why and why.But I have a clear feeling that you are not interested in all this at all. I’m not an extrasensory. I can’t think of your cunning plan and all your wishes for you. Unsubscribe then tasks more precisely. I wrote about offline that I would do it through friends - I wrote this all the time. You didn’t say a word. And now you’re saying you can’t. We also talked about the budget of all these movements more than once - you wrote that ok, 50 60k norms suits you .. And then it turns out that you don’t need it anymore. I am writing that we have people whom we did not take into account earlier - I know that you do not have time for this, I decide the issue with them myself so as not to soar you and not beg for the next 3-5k, I unsubscribe everything to you and write down where and for what was spent - and you don’t even remember about it. You constantly make me think that you are not interested in what is happening here, that no matter how hard I try for you, I bring some results - and you fucking remember after 2 days about it .. “then, tomorrow, yes, ok” This for you, these are all trifles, but I lived here all my life until I organized and muddied all this. I will be so gray-haired in a year.
Important: They want to build a social network for darknet users on the top of a private blockchain.
stern->mango: on social networks need movement
stern->mangothere must be at least 1 million people on the social network
mango->sterntherefore, I propose to use the social network at the initial stage, by the way, in order to create credibility and excitement - let it go by guarantee / vote
mango->stern: Bro prepared everything both on the social network and on articles for crypto contests, but there is a lot of information there, can it be uploaded somewhere in the archive?
mango->stern: I remind you once again that today left for Moscow time on your business, I’ll be in the late afternoon a sketch is ready on the social network, but I don’t know how relevant it all is, if necessary I will send it ..
stern->baget: write to mango@ he also makes a social network, you will be responsible for it too
mango->ghost: we make a social network primarily for ourselves and the community. in order to replace obsolete sites, etc., etc.
mango->ghost: the task is to make a social network so that the login password and private key. ita hacker. and all in one site. and how beautiful everything will be on the site - we will make an application out of it. And there, in general, the functionality will not be limited
mango->ghost: if you want to participate, write a report on some topic that is close to you, why it is, what are the prospects and how we can use it in the social network for darknet users)
mango->stern: And about the social network. Are we hiring people for this? Or just blockchain? The guy who wrote to you yesterday - he is not a blockchain developer, he has coders with php python, I thought they are needed for the social network, he wrote all this to you yesterday, but you probably didn’t read …
mango->stern: According to the professional - I spoke with him, he said that you yourself decide everything there and tell me what to do, as a result, there was no information from you or from him .. Bro, if possible, please pay a little more attention - I try to work on all your Wishlist, and you read everything through the line. and you ended up talking to him about the blockchain. I understand that the social network will be on the blockchain, but the development of the social network also needs coders - here he has them. As for the part of the blockchain, we will look for other people for this ..
mango->stern: I overclocked yesterday, fantasized fun functions, supposedly personal file storage, with the ability to share individual files, closed clubs of interest, entry into which would be considered by voting, open public groups for general discussion .. User reputation system to throw and intermediaries to eradicate and leave only really working guys .. You can also tie a bunch of services here, like the grandmothers did last week, when they gave the opportunity to spread the date to all hackers on their resources, even if they themselves and have nothing to do with their locker - any can put any date there for storage .. Here, under this social network, you can realize all your erotic fantasies in one place, both the exchange and file storage in the blockchain .. The works are gigantic volumes, without the experience of administration we ourselves will not pull, I think that we need to attract some kind of colleagues, like xss .. this will be the evolution of our underground into something more serious .. Uncles, think it all over, please, the topic is interesting, but very difficult.
stern->bloodrush: I’m addicted now, I’m interested in trading, defi, blockchain, new projects … everywhere there is an exhaust. And how boring everything is. I’m sure you’ll make your own there too. There is a big dream probably in this topic, I’m not sure that it is needed, but we will be useful to everyone. big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.
stern->driver: Country Bot ID link: etrade.com login pass
bio->skippy: Do you really think that your information (more than 115 GB) is not worth that much money? Personal data of clients, financial statements of the company and so on are no longer interesting for DarkNet? I think you are wrong. But we can always check it by posting your information on the our blog and notifying Internet news agencies. I think the courts and competitors will quickly let you know about yourself.
mango->buza: I’m talking about exactly searching for contacts and collecting information and a person, breaking through social networks and so on … immediately collect information, as soon as they got stuck - we already had the necessary contacts, phones, their partners, and options for how to hit them [00:39:30]in ad_users there is all the info, there are all employees and their mails, surnames, etc. [00:39:33] and positions [00:39:45] then you need to do this [00:39:58] if you pick up the date - provide these contacts to us at least for study [00:40:27] Of course [00:40:31] We will immediately give out everything [00:40:33] everything you take from the network - everything that is useful to us for analysis would be cool of course [00:40:40] it is necessary to somehow coordinate everyone now [00:40:45] so that all this does not rest on us) [00:41:17] will you add me to the rocket? [00:41:19] must be terribly tinny. you spelled it correctly [00:41:23] let’s do it tomorrow [00:41:39] kk [00:41:44] timing is one thing, they need to be afraid of leaks [00:41:49] we need to study plums in more detail [00:42:03] and see what’s useful there, latest developments, etc., everything that can cost them money [00:42:05] yes, to study in detail the information that we pump out from them [00:42:10] and not just from the bold fill in the mega
We created the initial versions of tutorials implementing the workflows that we developed for data analysis, text mining, natural language processing, visualizations, geographic maps and network analysis.
We have an R version based on Quarto notebooks, and a Python version also based on Quarto notebooks and RStudio. We developed more than 70 pages of instructional materials that we hope to be able to keep improving and expanding into proper hands-on tutorials and self-contained educational modules on the workflows we developed for investigating the Conti chat logs that can be applied to any other similar dataset.
In addition to better understanding the command and control structure of the Conti group, we believe that there is some actionable intelligence in the data we mined from the Conti chat logs that could aid the DHS and other law enforcement agencies in identifying individuals behind the Conti group by tracking a subset of the 278 unique BTC wallet addresses used to make regular salary payments to the Conti members, especially when they access the bitcoins at BTC exchanges.
The information about the US citizen Alka held on unspecified charges (possibly hacking related) in Florida last year could prove to be quite valuable, given how important this 56 year old woman appears to be for the Conti leadership.
The 315 IP addresses, along with their geolocations, which we mined using a separate IP database from IP2Location, could also provide some useful historical information about the VPN servers they used, even though they probably stopped using them after their chat logs were released.
The group could possibly be infiltrated through their recruitment practices via https://hh.ru/.
From defender to her/himself:
yvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fwa fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf wa yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy vafy va fyva fyv ayf va